APerspectiveonBitcoin andBlockchainBARTPRENEEL
6 JUNE 2017
1
IMEC-COSIC KU LEUVENBART.PRENEEL(AT)ESAT.KULEUVEN.BE
Currencies=maintainingmemory“EnvelopeandcontentsfromSusa,Iran,circa3300BCE.”“Eachlenticulardiscstandsfor“aflock”(perhaps10animals).Thelargeconerepresentsaverylargemeasureofgrain;thesmallconesdesignatesmallmeasuresofgrain.”
2
Tensionsbetweencentralizedandde-centralizedwaystoremembervalueexchanges,debts,andwhatisdue
•Centralization(claytablet):economiesofscale,high-integrity,vulnerable
•Decentralized(coins):high-availability,difficulttodestroyasasystem,forgery
ImageprovidedcourtesyofDeniseSchmandt-Besseratand Musée duLouvre,Département desAntiquités Orientales Slidecredit:GeorgeDanezis
Hash functions (1975):one-wayeasyto compute buthardto invert
3
This is an input to a crypto-graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional security conditions: it should be very hard to find an input hashing to a given value (a preimage) or to find two colliding inputs (a collision).
1A3FD4128A198FB3CA345932f
RIPEMD-160SHA-256SHA-512SHA-3
Digitalsignatures (1975):“equivalent”to manualsignature
4
Donald agrees to pay to Hillary 100 Bitcoins on Feb. 22 2017
Public key
Private key
Timestamping(1990)CollectdocumentsandhashthemwithaMerkle treeChainthesetreestogetherwithahashchainPublishintermediatevaluesonaregularbasis
5
f f f0
t1 t2 t3
hashchain
Timestamping:SuretyTechnologies(°1994)
6
http://www.surety.com/
Distributedlogging+Privacy
7
http://www.project-opacity.com/
Bitcoin?(2008)E-currency with distributed generation and verification ofmoney
Transactions◦ irreversible◦ inexpensive◦ overanonymouspeer-to-peernetwork◦ broadcastwithinsecondsandverifiedwithin10to60minutesbyinclusioninhashchain◦ payusingprivatekey (digitalsignature);verifywithpublickey◦ doublespendingpreventionusingapublicdecentralizedledger(chainingmechanism)
Pseudonymous◦ Moneyislinkedtopublickey– cangeneratearbitrarykeypairsandmovemoneyaround◦ Butinmanycasesidentificationispossible
8
MarketpriceinUSD(marketcap» 42.5B$)
9
2011bubble
1Bitcoin=2593$
BlockChain:apublicdecentralizedledgerBitcointransactions
10
f f f0
t1 t2 t3
blockchain
nonce1 nonce2 nonce3
“small” “small” “small”
Block1 Block2 Block3
Alsoincludeineveryblocktimestampanddifficultylevelofpuzzle
MininghashrateofBitcoin network
11
5.5 EH/s=5.5ExaHash persecond=5.51018 hash/second=262.3 hash/second
Exa
Peta
Tera
Giga
Mega
Mininghasbecomeindustrial
12Slidecredit:JosephBonneau
MiningequipmentonAmazon
13
CostofLeaderlessConsensusDistributedconsensusprotocol:◦ whichevercoalitiondeploysmosthashpower,hascontroloftheblockchain◦ 5.51018 hash/secondisasignificantcost.◦ notperforminganyusefultask!
Electricity+Networkingcosts:◦ 0.10W/GH/sor550MWatt (1/2ofanuclearplant)◦ @10centperKWh:1blockcosts9200$electricity(12.5BTC=+/-32,400$)
14
Profitcalculator:http://www.vnbitcoin.org/bitcoincalculator.php
NumberofTransactionsPerDay
Bankcardpayments:around10.000persecond? 15
3.5transactions/scostpertransaction24$(18%fromfees)transactionfees:0.88%ofvolumelargesharegoestoafewaddresses
AltCoinsToday:700+currenciesderivedfromBitcoin(seehttp://mapofcoins.com/bitcoin)
16Slidecredit:F.Vercauteren
SomeobservationsonBitcoinBitcoincommunityaspirestobemainstreambutbehavesasrebels◦ thisisnotsustainable
Volatile
Payingandsecurestoragesomewhatcomplex
Nopeaceofmindforusers:ifyouarehacked,toughluck
17
MostminersareinChina(70%)
Incentivessystemcomplex
Notclearthatthesystemwillsurvive,butsomeideaswillforsure
2017
Openissues:BitcoinIsBitcoinincentivecompatible?◦ Convergence◦ Fairness◦ Liveliness
◦ Sybilattack:attackercontrolsmanynodesinnetwork,canrefuserelayingorfavouringhisownblocks
◦ Selfishminingattack◦ Bribery
Someproofexistinsimplifiedmodels
18
Openissues:cryptocurrenciesDesignofcontracts(e.g.tradingdigitalart)
Blockchaintechnologyfornon-currencyapplications:◦ typicalapplications:decentralizedconsensusrequired◦ Namecoin:key-valueregistrationandtransferplatform,usedfordomainnamesetc…◦ Ethereum:contractprocessingandexecutionplatformusingTuring-completelanguage
Canweavoidtheenormouscomputationalcost?(proofofstake)
Isazero-governancecurrencypossible?Bitcoinneedsgovernancefor“hard”upgrades
19
BusinessFinancialworlddislikes◦ distributedcontrol◦ fulltransparency◦ uncleargovernance(oranarchy)◦ uncontrolledmoneysupply
Restrict:write,verifyorread(fullyprivateblockchain)
20
DistributedLedger:arangeofsolutions
21
Public Blockchain
• No central point of control by individuals, corporations or governments
• Permissionless to participate
• Concensus based on “proof ow work”
• Examples:• Bitcoin• Ethereum
Consortium/Hybrid Blockchain
• Controlled by > 2 individuals, corporations or governments
• Permission on participation from consortium necessary
• Arbitrary consensus mechanism
• Readability of the blockchain can be public or restricted to the consortium
• Example: RSCOIN (UC London)
Full private Blockchain
• Controlled by one individual, corporation or government (no consensus needed)
• Permission on participation from owner necessary
• Readability of the blockchain can be public or restricted to one
DistributedLedgerdistributeddatabase- onlyneededif◦ multiplemutuallydistrustfulwriters◦ nointermediatepartythatistrustedbyallplayers◦ interactionsordependenciesbetweenthetransactions
Financialsector:disintermediation?◦ 20%seriouslyinvesting◦ 20%planningtoinvest◦ 20%watchingthespaceveryclosely
Aite Group:blockchainmarketcouldbeworthasmuchas$400minannualbusinessby2019
22
DistributedLedger:openquestionsExplorethecontinuumbetweenfullyopenandfullyrestrictedledgers?DevelopamethodologytodesignrestricteddistributedledgersasafunctionofthebusinessrequirementsWhichadvancedcryptographicandscriptingtechniquescanbeusedinprivateorpermissioned ledgerstoimproveprivacyandtoallowforcomplextransactionssuchassmartcontracts?
23
DistributedLedger
24https://media.licdn.com
http://www.ecrypt.eu.org/csa/documents/D3.2-Cryptocurrencies.pdf
25
Pointershttp:www/ecrypt.eu.org
http://www.bitcoin.org
http://www.blockchain.com
http://www.vnbitcoin.org/bitcoincalculator.php
http://randomwalker.info/bitcoin/
http://www.coindesk.com/
NathanielPopper,DigitalGold,Harper,2015
ArvindNarayanan,JosephBonneau,EdwardFelten,AndrewMiller,StevenGoldfeder.Bitcon andcryptocurrencytechnologies,PrincetonUniversityPress,2016
A.Biryukov,D.Khovratovich,I.Pustogarov:Deanonymisation ofClientsinBitcoinP2PNetwork.ACMConferenceonComputerandCommunicationsSecurity2014:15-29
S.Meiklejohn,M.Pomarole,G.Jordan,K.Levchenko,D.McCoy,G.M.Voelker,S.Savage:Afistfulofbitcoins:characterizingpaymentsamongmenwithnonames.InternetMeasurementConference2013:127-140
FinancialCryptographyconferenceseries
26
BartPreneel,imec-COSICKULeuven
Kasteelpark Arenberg 10,3000Leuven
homes.esat.kuleuven.be/~preneel/
@CosicBe
ADDRESS:
WEBSITE:
EMAIL:
TWITTER:
+3216321148TELEPHONE:
ECRYPT CSAECRYPT CSAECRYPT CSAECRYPT CSA
http://www.ecrypt.eu.org
27
Top Related